Waf Charm

Blog

AWS WAF

The minimum value for the rate limit of rate-based rules has been changed to 10

Table of Contents

  1. 1. Introduction
  2. 2. Changes to Rate-Based Rules
  3. 3. Configuration of Rate-Based Rules
  4. 4. Effects on WafCharm
  5. 5. Conclusion

1. Introduction

The minimum value for the rate limit of rate-based rules has been changed to 10.
AWS WAF enhances rate-based rules to support lower rate limits

Following the extension of the evaluation window for rate-based rules around March, this update now allows setting rate limit values below 100.

2. Changes to Rate-Based Rules

Previously, the minimum value that could be specified for the rate limit was 100, but with this update, values of 10 or greater can now be specified. The guidance on the AWS WAF page has also been updated to state, "Rate limit must be between 10 and 2,000,000,000."

The configuration method has not been changed. You can set it up simply by entering a value of 10 or higher in the Rate limit input field.

3. Configuration of Rate-Based Rules

As stated above, there are no changes to the configuration method.

Here's what a rule looks like when specifying the minimum value for the rate limit (in this case, with a 5-minute evaluation window):

{
  "Name": "rate-based-rule",
  "Priority": 1,
  "Statement": {
    "RateBasedStatement": {
      "Limit": 10,
      "EvaluationWindowSec": 300,
      "AggregateKeyType": "IP"
    }
  },
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "rate-based-rule"
  }
}

The rule structure remains unchanged, with the only difference being that the value in the Limit field can now be set as low as 10.

4. Effects on WafCharm


As of September 2nd, 2024, WafCharm hasn't caught up with the update yet and is currently working on it. If you create a rate-based rule with a rate limit of less than 100, errors may occur in WafCharm. We apologize for the inconvenience. We will update the post once WafCharm catches up with the update.

WafCharm has caught up with the update. You can now:

  • Add rate-based rules with a rate limit lower than 100 from the AWS management console as your own rule.
  • Specify a value lower than 100 in the rate limit field when configuring a rate-based rule on WafCharm Console for Advanced Rule policy.

If you would like to add a rate-based rule via customization service, contact the WafCharm Support team with the rate limit of your choice.

5. Conclusion

Previously, the minimum threshold was 100/1 minute, but now the minimum threshold will be 10/1 minute. While this allows for more flexible configuration, it's worth noting that even with a threshold of 100/5 minutes, there were instances where legitimate requests could be detected and blocked depending on the request rate. Therefore, for thresholds below this, it's advisable to use the Count action to observe the behavior before implementing it as a blocking rule.

Additionally, rate-based rules allow you to use scope-down statements to narrow down the requests subject to rate limiting. When using relatively small thresholds, it may be useful to first narrow down the requests you want to target for rate limiting before configuring the rule.